Every Shopify store sets cookies the moment a visitor lands on a page. Some keep the shopping cart alive. Others track browsing behaviour for analytics or serve targeted advertising. The distinction matters because privacy regulations treat these categories very differently, and getting it wrong can be expensive. In September 2025, the French CNIL fined Shein 150 million euros for placing advertising cookies on visitors' devices before any consent banner appeared.
If you run a Shopify store, you need to know exactly which cookies your site uses, which ones require consent, and how to manage them properly.
What Are Shopify Cookies?
Shopify cookies are small text files that the Shopify platform stores on a visitor's browser when they interact with a store built on Shopify. These files serve different purposes: remembering what a customer added to their cart, authenticating logged-in users, measuring page performance, and supporting advertising campaigns.
Shopify sets some of these cookies itself (first-party cookies tied to your store's domain), while others come from third-party services integrated into your store, such as Google Analytics 4, Meta Pixel, or TikTok Pixel. The platform's own cookie policy states that most persistent cookies expire between 30 minutes and two years from the date they are downloaded.
Types of Cookies on a Shopify Store
Shopify groups its cookies into four broad categories: strictly necessary, functional, analytics, and marketing. Each category carries different consent requirements under GDPR, the ePrivacy Directive, and the CCPA.
Strictly Necessary Cookies
These cookies are essential for the store to function. Without them, visitors could not add products to a cart, proceed through checkout, or maintain a secure session. Shopify uses several strictly necessary cookies, including session identifiers and load-balancing cookies that route requests to the correct server.
Because they are required for the service the visitor explicitly requested, strictly necessary cookies are exempt from consent under Article 5(3) of the ePrivacy Directive. You do not need to ask permission before setting them, but you still need to disclose them in your cookie policy.
Functional Cookies
Functional cookies remember user preferences such as language selection, currency, or region. Shopify refers to these as "user interface customisation persistent cookies" in its own documentation. They also include authentication cookies that keep a logged-in customer recognised across pages.
The consent position on functional cookies is nuanced. If a preference cookie stores a choice the visitor actively made, some regulators accept it falls under the "strictly necessary" exemption. Others disagree. The safest approach is to request valid consent for functional cookies unless they are genuinely indispensable.
Analytics and Performance Cookies
Shopify uses two subcategories here. First-party analytics cookies estimate unique visitors and track frequently searched terms without targeting users for advertising. Third-party analytics cookies come from external providers, most commonly Google Analytics, which sets cookies like _ga and _ga_* to measure how visitors interact with your store.
Under GDPR and the ePrivacy Directive, analytics cookies require prior consent. The CNIL offers a narrow exemption for audience measurement tools that meet strict conditions (no cross-site tracking, limited retention, aggregated reporting only), but standard GA4 configurations do not qualify.
Marketing and Advertising Cookies
Marketing cookies track visitors across sites to build profiles for targeted advertising. On Shopify stores, these typically come from Meta Pixel (_fbp, _fbc), Google Ads, TikTok, and Pinterest installed via Shopify's sales channels or custom pixel integrations.
Shopify itself does not set advertising cookies through merchants' storefronts directly. The marketing cookies on your store come from third-party scripts you or your apps have added. These always require explicit, informed consent before activation, regardless of jurisdiction.
Common Shopify Cookie Names and Their Purposes
The table below lists the most commonly encountered cookies on Shopify stores, their type, and typical duration.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
_shopify_s | Analytics | Session tracking for Shopify analytics | 30 minutes |
_shopify_y | Analytics | Unique visitor identification | 1 year |
cart | Necessary | Associates the visitor with a shopping cart | 14 days |
secure_customer_sig | Necessary | Authenticates logged-in customers | 1 year |
_tracking_consent | Necessary | Stores the visitor's consent preferences | 1 year |
_shopify_sa_t | Analytics | Shopify analytics relating to referrals | 30 minutes |
_shopify_sa_p | Analytics | Shopify analytics relating to page views | 30 minutes |
_ga | Analytics (3rd party) | Google Analytics user identification | 2 years |
_fbp | Marketing (3rd party) | Meta Pixel browser identification | 3 months |
localization | Functional | Stores country and language preference | 1 year |
This is not exhaustive. Every app you install on Shopify may introduce additional cookies. A cookie scanner is the only reliable way to get a complete inventory.
Does Your Shopify Store Need Cookie Consent?
Yes, almost certainly. If your store is accessible to visitors in the EU, UK, Brazil, or certain US states, you are subject to at least one privacy regulation that mandates consent for non-essential cookies.
Under GDPR Article 5 and the ePrivacy Directive, any cookie that is not strictly necessary requires prior, informed, freely given consent. That includes Shopify's own _shopify_y and _shopify_s analytics cookies, not just third-party trackers.
The CCPA takes a different approach. It does not require opt-in consent for cookies, but it does require that you inform visitors about data collection and provide a clear "Do Not Sell or Share My Personal Information" mechanism if cookies share personal data with third parties for advertising.
In practice, the simplest approach is to implement an opt-in cookie consent banner for EU and UK visitors and an opt-out mechanism for California visitors. Shopify's built-in consent tools support this region-based approach.
Shopify's Built-In Privacy Tools
Shopify provides a Customer Privacy API that handles consent signals natively. This API categorises tracking into four purposes: analytics, marketing, preferences, and sale_of_data. When a visitor grants or denies consent through a banner, those signals pass to Shopify's own tracking and can be forwarded to third-party tools.
Since December 2024, Shopify integrates with Google Consent Mode v2 directly from the admin panel. With the right configuration, Shopify automatically transmits consent signals to Google tags, so Google Analytics and Google Ads respect visitor choices without custom code.
The platform allows you to configure consent banners on a per-region basis. You can require opt-in consent for EEA and UK visitors while using a different setup for regions without strict cookie laws. This is configured under Settings, then Customer Privacy in the Shopify admin.
Compliance Tips for Shopify Store Owners
Audit Your Cookies Regularly
Shopify apps add and remove cookies frequently. A scheduled cookie scan catches changes you might not notice manually. Run a scan every time you install or remove an app, change themes, or add tracking pixels.
Block Non-Essential Scripts Before Consent
A consent banner is useless if analytics and marketing scripts fire before the visitor clicks "Accept." This was exactly Shein's mistake: advertising cookies were placed the moment a user landed on the site, before any banner was shown. Use Shopify's Customer Privacy API or a consent management platform that integrates with it to block scripts until valid consent is recorded.
Match Your Banner to Regulatory Requirements
A banner must give visitors a genuine choice. Under GDPR, the option to reject cookies must be as prominent and accessible as the option to accept. Pre-ticked checkboxes and "accept-only" banners do not constitute valid consent. The CNIL's 2025 enforcement actions specifically targeted banners that lacked a visible "Reject All" button or buried the refusal option behind multiple clicks.
Maintain a Cookie Policy
Your store needs a public cookie policy listing every cookie by name, its purpose, whether it is first-party or third-party, and its duration. Shopify does not generate this automatically. You can create one using a cookie policy generator and link it from your banner and footer.
Handle Cross-Border Complexity
Shopify stores often sell internationally. A visitor from Germany falls under DSGVO and TTDSG. A visitor from California falls under the CCPA/CPRA. A visitor from Brazil is covered by the LGPD. Geo-detection with region-specific consent rules is the practical solution.
What Happens If You Ignore Cookie Compliance?
GDPR fines can reach 20 million euros or 4% of global annual turnover, whichever is higher. The ePrivacy Directive, implemented through national laws, carries its own penalties. The CNIL alone issued over 486 million euros in fines during 2025, with cookies, employee monitoring, and data security as the top three enforcement areas.
Smaller stores should not assume they fly under the radar. Spain's data protection authority has issued over 1,000 GDPR fines since 2018, many against smaller organisations, and enforcement is broadening across Europe.
Beyond fines, non-compliance affects customer trust. A poorly designed cookie banner or the absence of one signals to privacy-conscious shoppers that a store does not take data protection seriously.
Frequently Asked Questions
Does Shopify set advertising cookies on my store by default?
No. Shopify does not set advertising cookies through merchants' storefronts directly. Marketing cookies on your store come from third-party scripts and apps you have installed, such as Meta Pixel, Google Ads, or TikTok Pixel.
Which Shopify cookies are exempt from consent requirements?
Only strictly necessary cookies are exempt under the ePrivacy Directive. These include the cart cookie, session authentication cookies, and load-balancing cookies. Analytics cookies like _shopify_y and _shopify_s are not exempt and require consent from EU and UK visitors.
How do I find all the cookies my Shopify store sets?
Run a cookie scan using a dedicated scanner tool. Manually checking browser developer tools can miss cookies set by third-party scripts that only load on specific pages or after certain interactions.
Can I use Shopify's built-in cookie banner for GDPR compliance?
Shopify offers a basic consent banner through its Customer Privacy settings. It integrates with the Customer Privacy API and supports Google Consent Mode v2. For stores with complex needs, such as granular category-level consent, auto-translated banners, or detailed consent logging, a dedicated consent management platform may be more suitable.
What is Shopify's Customer Privacy API?
It is a JavaScript API that manages consent signals on Shopify storefronts. It categorises tracking consent into analytics, marketing, preferences, and sale of data. When a visitor accepts or rejects cookies through a banner, the API communicates those choices to Shopify's tracking systems and compatible third-party tools.
Do I need a separate cookie policy if I already have a privacy policy?
A privacy policy covers broad data processing practices. A cookie policy specifically lists every cookie by name, purpose, type, and duration. Regulators like the CNIL expect this level of detail. You can include cookie information within your privacy policy or publish it as a separate document, but the detail must be there either way.
How often should I scan my Shopify store for new cookies?
At minimum, scan after every app installation or removal, theme change, or tracking pixel update. A monthly scheduled scan is good practice for stores that update regularly, as apps can introduce new cookies silently through updates.
Get Your Shopify Store's Cookies Under Control
If you are unsure which cookies your Shopify store currently sets, start with a scan. Kukie.io detects and categorises cookies across your entire storefront, integrates with Shopify via a simple script, and supports geo-targeted consent banners that adapt to each visitor's jurisdiction.
